2

I would like to ban IP addresses after incorrect (RDP right now, soon to be VPN once I get that going) login attempts on a Windows Server 2008 R2 machine I help administer.

This answer specifically talks about ssh, which I'm not running.

This answer mentions terminal services and remote desktop.

No one specifically mentions VPN.

Will both of these apply to VPN? I'm a little bit uncertain about how Windows handles these different failed logins. It looks like these will be Logon Type: 10 (RDP) and Logon Type: 3 (VPN + terminal services...?) From what I understand about these tools is that they will have to parse the Windows Event Log to grab the incorrect logins, and then modify the Firewall rules.

I would like to try WinFail2Ban because I've used it in Linux before. Administering Linux (just SSH!) is WAY easier. Does anyone have experience with this? Will it work? I found ZERO questions with WinFail2Ban on serverfault.

Thank you very much for the help. I will simply start trying things, likely starting with WinFail2Ban. Since I am very new at Windows Server 2008, I wanted to post a question here first.

Brian Stinar
  • 153
  • 7

1 Answers1

1

I have a C# program that does exactly this. I had an issue on Server 2008 R2 where the event log didn't always list the IP addresses of the user (if they connected from the newer Remote Desktop clients). Some services implement their own credential check provider that doesn't provide all of the information you would want.

http://cyberarms.net/security-insights/security-lab/remote-desktop-logging-of-ip-address-%28security-event-log-4625%29.aspx

For Remote Desktop however I discovered that going into "Remote Desktop Session Host Configuration" and changing the RDP-TCP connection to have the security layer of "RDP Security Layer" instead of "Negotiate" or "SSL (TLS 1.0)" brought back the IP addresses.

Whether you really want to do this is another question for you, "If you select RDP Security Layer, you cannot use Network Level Authentication."

VPN should generate similar events in the Security Log (I found http://www.windowsecurity.com/articles/logon-types.html to be helpful). I used EventLogWatcher and bound to "*[System/EventID=4625 or System/EventID=4624]" so I could reset a bad count on success if the user genuinely just got their password wrong. Also I whitelisted ::1, 0.0.0.0, 127.0.0.1 and "-".

I use Forefront TMG so I used the API to add bad IP addresses to a group of IPs that way and I've asked Cisco to add API access to one of their SMB routers (which they have assured me they just might do!)

If you want to use the native Windows Firewall to block them have a look at the API for that ("netsh advfirewall").

Matthew1471
  • 307
  • 2
  • 4
  • You can both use SSL and get IpAddress in audit log. See my answer here - http://serverfault.com/questions/379092/remote-desktop-failed-logon-event-4625-not-logging-correctly-on-2008-terminal-se/729662#729662 – wqw Oct 17 '15 at 13:01